A federal appeals court upheld a nine-year prison term Monday for a hacker who tried and failed to steal customer credit-card numbers from the Lowe's chain of home improvement stores.

Brian Salcedo, now 23, has been in custody since 2003, when an FBI stakeout caught him and a partner breaking into several Lowe's networks over an unsecured Wi-Fi connection at a suburban Detroit store.

Under Monday's ruling, Salcedo will not be eligible for release until May 2011.

Assistant U.S. attorney Matthew Martens, who prosecuted the case, said the sentence is long, but appropriate. "I hope it achieves, not only justice in this case, but deterrence to other people thinking about doing something similar," Martens said.

Salcedo's partner in the abortive caper, 22-year-old Adam Botbyl, has less than two months left on a sentence of 26 months for his role in the plot. After serving most of that time in custody, Botbyl is now in a halfway house in Detroit.

According to court records, Botbyl stumbled across the unsecured wireless network at the Southfield, Michigan, Lowe's in the spring of 2003, while he and a roommate were wardriving the area in search of Wi-Fi hot spots.

He returned six months later with Salcedo, who was on the last month of a three-year probation term from a juvenile computer crime conviction. Together, the pair discovered they could jump from the Southfield Lowe's to the company's central data center in North Carolina, and from there to the local networks at stores around the country.

Lowe's detected the intrusions and called in the FBI, who staked out the store parking lot. The agents eventually spotted Botbyl's Pontiac Grand Prix, bristling with antennas and occupied by two young men typing on laptops. The agents watched them work for 20 minutes, then trailed them to a Little Ceasar's pizza restaurant and a local multiplex, while Lowe's security team worked to figure out what the hackers had done.

They discovered that at two of the stores -- in Long Beach, California, and Gainseville, Florida -- the pair had modified a proprietary piece of software called "tcpcredit" that Lowe's used to handle credit-card transactions, changing the program so it would stash customer's credit-card numbers where the hackers could retrieve them later. The program had collected only six credit-card numbers when it was discovered.

The FBI arrested Salcedo, Botbyl and -- apparently mistakenly -- Botbyl's roommate, Paul Timmins, who later pleaded guilty to a misdemeanor for using the Wi-Fi network to check his e-mail. Salcedo and Botbyl pleaded guilty to conspiracy and computer fraud in plea agreements with prosecutors.

Though there's no evidence either man saw a single stolen credit-card number, and despite cooperating to help Lowe's boost its security after his arrest, Salcedo was sentenced to what the government described at the time as the longest U.S. prison term for a hacker in history.

Nowadays there are penalties if compnaies aren't PCI (Payment Card Industry) certified. If they don't have this compliance they won't be allowed to conduct online transactions. I am not sure if this compliance existed then. Lowe's should have been more diligant and agree that there should have been a penalty for them as well.